b'                                                                      OIG Report No. 08-06\n\n\nExecutive Summary\n\nThe Federal Managers\' Financial Integrity Act (FMFIA) of 1982 (Public Law 97-255)\nrequires ongoing evaluations and reports of the adequacy of internal accounting and\nadministrative control of each executive agency. The Act requires the head of each\nagency to annually prepare a statement on the adequacy of the agency\'s systems of\ninternal accounting and administrative control. Office of Management and Budget\n(OMB) Circular A-I23 (Revised), Management\'s Responsibility for Internal Control,\ncontains guidance for implementing FMFIA. OMB A-123 requires management to\nannually report on internal control in its Performance and Accountability Report (PAR),\nincluding a report on identified material weaknesses and corrective actions. It also\nprovides that the agency head, in preparing the annual assurance statement, should\nconsider input from the Office of Inspector General.\n\nAnnually, the OIG performs a review to ensure agency managers continuously monitor\nand improve the effectiveness of internal controls associated with their programs. This\ncontinuous monitoring in conjunction with other periodic evaluations provides the basis\nfor the agency head\'s annual assessment of, and report on, internal controls as required\nbyFMFIA.\n\nOur initial assessment of the agency\'s FY 2007 assurance statement, as conveyed in our\nOctober 23, 2007 memorandum (See Attachment A), was that the statement was\ninaccurate and underreported risk associated with NARA\'s Preservation and Processing\nprograms.\n\nSubsequently, we performed a detailed review of individual office assurance statements\nand found inconsistencies in conducting and reporting internal control reviews. We\nfound many ofthe staff offices did not conduct formal internal control evaluations in\naccordance with their internal control plans, while other offices did not maintain\ndocumentation of such reviews in accordance with agency guidance. This was the result\nof a lack of familiarity with NARA 114, an incomplete understanding of internal\ncontrols, and management control plans which were improperly or too narrowly scoped.\nAs a result of a lack of, improperly documented, or improperly scoped internal control\nreviews, NARA lacks assurance risks are adequately identified and managed\nappropriately.\n\nWe are making 3 recommendations we believe will address the identified weaknesses.\n\n\n\n\n                      National Archives and Records Administration\n\x0c                                                                       OIG Report No. 08-06\n\n\nBackground\n\nThe Federal Managers\' Financial Integrity Act (FMFIA), Public Law 97-255, requires\neach agency to establish controls that reasonably ensure: (1) obligations and costs comply\nwith applicable law, (2) assets are safeguarded against waste, loss, unauthorized use or\nmisappropriation, and (3) revenues and expenditures are properly recorded and accounted\nfor. In addition, the agency head must annually evaluate and report on the systems of\ninternal accounting and administrative control.\n\nThe Office of Management and Budget (OMB) Circular A-l23, Management\'s\nResponsibility for Internal Control, defines management\'s responsibility for internal\ncontrol in Federal agencies. It provides guidance to Federal managers on improving the\naccountability and effectiveness of Federal programs and operations by establishing,\nassessing, correcting, and reporting on internal control. OMB revised Circular A-123 in\nresponse to the Sarbanes-Oxley Act, effective in fiscal year 2006. This revision\nstrengthened the requirements for management\'s assessment of internal control over\nfinancial reporting. The new requirements apply only to the 24 Chief Financial Officer\nAct agencies, thus exempting NARA from performing an A-127 review and reporting\npursuant to Section 4 ofthe FMFIA. However, NARA is still required to report on\ninternal controls pursuant to Section 2 ofFMFIA.\n\nNARA issued Directive 114, Management Controls, to help managers implement the\nrequirements ofOMB A-123. NARA 114 defines responsibilities; defines the types of\nreviews that could be considered internal control assessments; identifies documentation\nthat must be maintained in support of an internal control evaluation, and; addresses the\ndevelopment and maintenance of management control plans. Among the responsibilities\ndefined by this guidance, Office Heads are required to identify and analyze risk and the\nPolicy and Planning Staff (NPOL) are required to provide oversight, guidance, and\nassistance to NARA offices concerning implementation of the NARA internal control\nprogram.\n\nAssurance statements and information relating to FMFIA Section 2, Section 4 (from\nwhich NARA is exempt), and internal control over financial reporting should be provided\nin a single FMFIA report section of the annual Performance and Accountability Report\n(PAR) labeled "Management Assurances." The section should include the annual\nassurance\'statement, summary of material weaknesses and non-conformances, and\nsummary of corrective action plans.\n\nObjectives, Scope, and Methodology\n\nThe purpose of our evaluation was to determine the extent to which there is sufficient\nevidence NARA complied with the requirements of the FMFIA, OMB Circular\nA-I23, and NARA 114, to support the Archivist\'s fiscal year 2007 assurance statement to\nthe President and Congress. Specifically, our objectives were to (1) assess whether\nmanagement is continually and consistently reviewing critical areas, and (2) verify the\n\n\n\n                                            2\n\n                      National Archives and Records Administration \n\n\x0c                                                                        OIG Report No. 08-06\n\n\naccuracy of information contained in management\'s assurance statements to the\nArchivist.\n\nTo accomplish our objective, we examined the assurance statements and related internal\ncontrol evaluation documents submitted by NARA office heads, reviewed additional\nsupporting documentation maintained by the offices, and met with management control\nliaisons and other management officials. We performed a detailed review of the\nassurance statements and management control plans for the five major program offices\n(e.g. NA, NH, NL, NR, and NW), sub offices (e.g. NAA, NAF, NAS), and staff offices\n(e.g. ISOO, NEEO, NGC). Specifically, we\n     \xe2\x80\xa2 \t reviewed the related evaluation files to assess the timeliness and adequacy of\n         actions planned and taken in response to recommendations from evaluations\n         completed in both the current and previous fiscal years;\n     \xe2\x80\xa2 \t compared information in the evaluation files to the assurance statements to assess\n         the accuracy of information reported in the assurance statements;\n     \xe2\x80\xa2 \t reviewed sub-office (e.g. NAF, NAR, NAS, etc.) assurance statements to\n         determine if the next higher level of management was performing a sufficient\n         review of information passed up to them, and;\n     \xe2\x80\xa2 \t reviewed management\'s evaluation of controls in accordance with each office\'s\n         Management Control Plan for FY 2007 and agency guidance concerning the\n         conduct of such evaluations.\n\nTo facilitate the submission ofNARA\'s annual assurance statement we performed a\npreliminary review of the agency assurance statement in October 2007.\n\nThis audit was conducted in accordance with generally accepted government auditing\nstandards (GAGAS) between October 2007 and January 2008. These standards require\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nCritical Areas were not Consistently Reviewed\n\nOur review revealed several staff offices did not conduct internal control reviews of\ncritical functions in accordance with their management control plan. This was the result\nof a lack of familiarity with, and understanding of, proper internal control testing such as\nis required by OMB A-123 and further defined in NARA 114; and in some cases critical\nfunctions that were too narrowly defined to allow proper testing. Furthermore,\nindividuals responsible for reviewing the results of these management control reviews\nconducted by sub-offices did not question the absence of such information. OMB\nCircular A-123 requires the agency and individual managers to take systematic and\nproactive measures to assess the adequacy of internal controls in Federal programs and\noperations, identify needed improvements, take corresponding corrective action, and\nreport annually on internal controls in order to be accountable for their area of control.\nNARA Directive 114, establishes NARA policy for implementing the requirements of\n\n\n                                             3\n\n                       National Archives and Records Administration \n\n\x0c                                                                     OIG Report No. 08-06\n\n\nOMB A-123. Both documents convey the elements necessary for conducting and\ndocumenting sufficient internal control reviews. The absence of internal control reviews\ndecreases the likelihood significant risks or weaknesses are identified and properly\nmanaged and increases the likelihood the agency\'s assurance statement is inaccurate.\n\nWe found several staff and sub-offices were not conducting internal control reviews of\ncritical functions as identified in their management control plan. Several staff offices,\nand some sub-offices, were unable to provide us with supporting documentation\nnecessary to establish internal control reviews were being performed. In some cases we\nwere told such reviews were being conducted "informally" or through the course of daily\noperations and therefore were not specifically documented. In other cases management\ncontrol liaisons and managers cited confusion as to what constituted an internal control\nreview and unfamiliarity with guidance contained in OMB A-123 and NARA 114. In the\ncase of some ofthe smaller offices we found critical functions were narrowly defined,\nmore analogous to work processes, hindering the risk assessment and evaluation process.\n\nInternal controls - organization, policies, and procedures - are tools that help program\nand financial managers achieve results and safeguard the integrity of their programs.\nInternal controls provide a means of managing the risk associated with Federal programs\nand operations and require managers to define the control environment (e.g. programs,\noperations) and then perform risk assessments to identify the most significant areas\nwithin that environment in which to place or enhance controls. Management should have\na clear, organized strategy with well defined documentation processes containing an audit\ntrail, verifiable results, and specify document retention periods. NARA 114 provides\nguidance on the types of reviews which can be considered internal control reviews and\nthe documentation required to support such reviews. It requires information created as a\nresult of assessing, correcting, and reporting on internal controls to be maintained in\naccordance with the NARA Maintenance and Records Disposition Manual (Files 203),\nitem number 220 - Management Control Evaluation Files; and documentation assessing\nrisk to be maintained under item number 219 - Risk Assessment Files.\n\nFailing to consistently review critical areas/programs weakens management\naccountability and decreases the likelihood problems will be identified and program risks\nminimized. Furthermore, it promotes a false sense of assurance about the level of\nprogram or function oversight provided by management and could result in an agency\nassurance statement which inaccurately conveys risk.\n\nCritical Area Reviews are not Documented in Accordance with NARA Policy\n\nThe OIG found two offices were not properly documenting critical area reviews listed in\ntheir management control plan. This condition was attributed to a lack of understanding\nof, or familiarity with, NARA 114, which specifically addresses the requirements for\nconducting and documenting internal control assessments. Specifically we found two\nprogram offices were not documenting the review of unit self-assessments by a higher\nlevel of management.\n\n\n\n                                           4\n                      National Archives and Records Administration\n\x0c                                                                       OIG Report No. 08:-06\n\n\nAs a result, information necessary to "close the loop" of the review process, such as\nreview results and corrective actions, was absent from the process.\n\nNARA 114, establishes policy for improving the accountability and effectiveness of\nNARA programs and operations by establishing, assessing, correcting, and reporting on\nmanagement controls. Furthermore, subparagraph 6 ofthe guidance states that internal\ncontrol assessments must be documented in writing and provide the following\ninformation:\n    \xe2\x80\xa2 \t A description of the operation or activity reviewed and the method of testing or\n        examining existing management controls;\n    \xe2\x80\xa2 \t A notation of the date(s) and place(s) the review was conducted and name(s) of\n        the reviewer(s) and program staff involved with the review;\n    \xe2\x80\xa2 \t A statement of the results of the review;\n    \xe2\x80\xa2 \t A statement ofthe necessary corrective action(s) for any deficiencies found, and;\n    \xe2\x80\xa2 \t Documentation that the review or results of the review were reported to the next\n        level of management.\n\nFor self-assessments, NARA 114 requires a party outside a reporting unit who has\nknowledge of the unit\'s operations (e.g. a higher level manager or the management\ncontrol liaison) must evaluate the self-assessment findings and provide the assessed unit\nwith written notice of concurrence or disagreement with the findings and any\nrecommended corrective action.\n\nWithout a properly documented review neither the Archivist nor the OIG can (1)\ndetermine whether appropriate controls were properly tested, and (2) place reliance on\nthese aspects of the component offices assurance statements.\n\nRecommendation 1. NPOL should stress to management the importance of performing\ninternal control assessments of their critical areas in accordance with their management\ncontrol plans. This includes ensuring reviews are documented in accordance with NARA\n114.6. Management control liaisons and upper managers should be reminded oftheir\nresponsibility for reviewing sub-office and sub-unit assurance statements and ensuring\ninternal control reviews are conducted and documented.\n\nManagement Response\n\nManagement concurred with our recommendation.\n\nRecommendation 2. NPOL should revise NARA 114 to require the results of internal\ncontrol reviews, conducted in accordance with each offices management control plan, be\nincluded in each offices assurance statement.\n\nManagement Response\n\nManagement concurred with our recommendation.\n\n\n\n                                            5\n\n                      National Archives and Records Administration \n\n\x0c                                                                     OIG Report No. 08-06\n\n\nRecommendation 3. The NARA management control liaison should work with the\noffices and office management control liaisons to review, and revise as necessary, the\n"critical functions" contained in the management control plans. The revision to these\nplans should seek to identify and rank risks to major program and functional areas and\nundertake internal control reviews of major risk areas.\n\nManagement Response\n\nManagement concurred with our recommendation.\n\n\n\n\n                                            6\n                      National Archives and Records Administration\n\x0c                                                                        DIG Report No. 08-06\n\n\n                                                                              Attachment A\n                                                                                   Page 1 of 5\n\n                                                   National Archives and Records Administration\n                                                                             8601 Adelphi Road\n                                                            College Park, Maryland 20740-6001\n\n\n\n\nDate         October 23,2007\n\nReply to\nAttn of      Office of Inspector General (OIG)\n\nSubject      Review ofNARA\'s FY 2007 Statement of Assurance\n\nTo           Allen Weinstein, Archivist of the United States\n\nBased upon our examination of the subject draft letter and our preliminary assessment of\nNARA\'s Management Control Program for fiscal year 2007, we do not agree with the\nassurance statement for Section 2 ofthe Federal Manager\'s Financial Integrity Act\n(FMFIA) report requirements. We disagree with the letter because it does not reflect\nmaterial risks identified by the OIG in NARA\'s Preservation and Processing programs\nnor does it accurately reflect risks in NARA\'s Information Security Program.\n\nPreservation Program\n\nNARA\' FY 2007 assurance statement reported the Preservation Program material\nweakness, identified by the OIG in FY 2005, as a reportable condition. Based on our\nreview, NARA has not done sufficient work to minimize the risks found in our report to a\nreportable condition. Our report identified that: a) items needing preservation have not\nbeen identified; b) budget and staffing is inadequate to address preservation needs in a\ntimely manner; c) criteria for assessing preservation need is not consistently applied; d)\narchival storage facilities are not in compliance with storage standards; and e)\npreservation performance measurement data is incorrect.\n\nIn 2007 NARA refined the methodology and criteria for identifying items needing\npreservation. However there has not been sufficient time to evaluate whether the new\nmethodology is effective in surveying, identifying, documenting and ranking NARA\nrecords needing preservation.\n\nAlso, in FY 2007 NARA began updating its preservation at-risk list on an on-going basis\ninstead of once a year. This will increase NARA\' s backlog of items needing\npreservation. Management has defined that 71 percent of current items at NARA needs\nsome form of Preservation. Our audit report identified that NARA currently has a\nbacklog of items needing preservation that would take 21 years to complete. Increasing\nthe number of items on the at-risk list will result in NARA taking more than 21 years to\n\n\n                      National Archives and Records Administration\n\x0c                                                                        OIG Report No. 08-06\n\n\n\n\n                                                                             Attachment A\n                                                                                Page 2 of5\n\ncomplete the backlog given that the resource levels in preservation have remained\nrelatively static.\n\nNARA has requested additional funding for the Preservation Program but the agency has\nnot received the required funding for the Preservation Program. Until NARA is able to\nsecure additional funding, the backlog of items on the preservation at-risk list will\ncontinue to grow rather then be addressed. NARA management recognizes this problem\nand has changed the performance measure for preservation of holdings to "by 2016, less\nthan 50 percent of archival holdings require preservation action."\n\nFurthermore facilities that hold NARA\'s permanent records do not meet the Archival\nStorage Standards which has implications for the preservation of holdings. NARA has\nincluded some of its facilities on the Capital Improvements Plan to be funded with new\nappropriations. NARA management acknowledges the deficiencies in the facilities and\nhas changed the completion dates to have all the facilities compliant with the standards\nfrom FY 2009 to FY 2016.\n\nIn conclusion, the material risks identified by the OIG in the FY 2005 report still exist\nand have not been mitigated to the level of a reportable condition. While NARA has\ncontinued to initiate improvement efforts in FY 2007, management has not\nimplemented sufficient controls and is not in the position to ensure all items needing\npreservation are managed and preserved in a timely manner. Therefore NARA\nrecords are at risk of lost and the Preservation Program for FY 2007 should still be\nreported as a material weakness.\n\nProcessing Program\n\nThe FY 2007 assurance statement did not report the processing of records accessioned\ninto NARA as a material weakness. Based on our audit of this area, NARA is materially\nconstrained in its ability to provide efficient and effective access to, and information\nabout, NARA holdings. This affects NARA\'s ability to meet its mission of ensuring\npublic access to records as soon as legally possible. This condition is the result oflarge\nbacklogs of inadequately processed records and records awaiting adequate description\nand entry into the Archival Research Catalog (ARC). NARA management is aware of\nthe backlogs, having initiated a study known as the Workload Analysis Study (WAS) that\nrevealed the enormity of the processing backlog in textual records.\n\nThis study of processing found that only 36 percent of textual holdings are adequately\nprocessed (i.e., ready for efficient and effective use by the public), meaning that 1.85\nmillion cubic feet of records require additional processing to be considered appropriately\nprocessed. The study places the cost for complete processing of these records at a\nstaggering $1.57 billion. Additionally, our review of Performance Management and\n\n\n\n                       National Archives and Records Administration\n\x0c                                                                         OIG Report No. 08-06\n\n\n                                                                              Attachment A\n                                                                                 Page 3 of5\n\nReporting System (PMRS) statistics show that just over half ofNARA\'s traditional\nholdings are described in ARC. While this meets NARA\'s strategic goal of having 50\npercent of traditional archival holdings described in an online catalog, it still leaves more\nthan 1.6 million cubic feet of traditional archival holdings not described in ARC, making\nit more difficult for the public to learn about and use these holdings.\n\nIn April 2007 management submitted an action plan to our office and indicated that\nrecommendations 1a-I c were closed. We reviewed the plan and supporting\ndocumentation and did not concur that the recommendations were closed. In May 2007\nwe requested additional documentation from the Office of Policy and Planning (NPOL)\nwhich might explain the basis for closing these recommendations. We did not receive a\nresponse from NPOL. In this same communication we defined what additional actions\nwe viewed as necessary to successfully implement the recommendations in order to close\nthem out. We consider successful implementation of the recommendations contained in\nthe processing audit report a key component in establishing adequate internal controls\nand essential to our consideration as to whether the processing of accessioned records can\nbe reduced from the category of Material Weakness.\n\nAs a result the Processing program should be defined as a material weakness in your FY\n2007 assurance statement.\n\nInformation Security Program\n\nIn the area of information security, your assurance statement indicated that IT security\nwas being reported as a material weakness based on weaknesses identified in a fourth\nquarter internal review done by a NH contractor which mirrored many of the OIG\nfindings to date. Specifically, according to your assurance statement the review\nidentified the following areas for inclusion in the material weakness: strengthening\nprocesses written policies, improving communication and training for business owners\nregarding their roles and responsibilities with respect to IT systems, and improving the\nquality assurance processes for the IT Security Program. However, the language in the\ntransmittal omits the breadth of critical security weaknesses identified in OIG audit\nreports, specifically:\n\n1. Information Technology Refresh - The ability to provide a secure computing\nenvironment for the agency\'s computer network users may soon be hindered, because\nNARA management has done no planning for the migration of its Novell Netware\noperating system to another type of software, even though Novell announced that it is\nphasing out this operating system. As a result, future security vulnerabilities will pose a\ngreater risk under the current system due to the lack of available patches and vendor\nsupport. In February 2005, Novell released Netware 7.0, Open Enterprise Server (OES),\na product aimed at helping its Netware customers move to Linux. At that time, we\nrecommended that management immediately begin planning for the migration from\n\n\n\n                       National Archives and Records Administration\n\x0c                                                                        OIG Report No. 08-06\n\n\n                                                                             Attachment A\n                                                                                Page 4 ofS\n\nNovell Netware to another type of operating system software, e.g., Microsoft or Linux.\nAlthough they initially agreed with us, management officials subsequently non-concurred\nwith our recommendation, stating that NARA has identified no business need to\nimmediately begin planning a migration from Novell Netware to another type of\noperating system.\n\n2. Computer Security Incident Response Capability (CSIRC) - NARA officials have not\nestablished a 24 hours per dayl7 days per week computer security incident response\ncapability (CSIRC) that can react quickly to investigate, contain, and mitigate security\nincidents. No testing has been performed to ensure that the Computer Incident Response\nTeam (CIRT) will function in the most efficient and effective manner possible. Post\nincident activities, i.e., holding lessons learned meetings and preparing follow-up reports,\nhave not been conducted, in accordance with the guidance in National Institute of\nStandards and Technology (NIST) Special Publication (SP) 800-61, Computer Security\nIncident Handling Guide.\n\n3. Contingency PlanningiDisaster Recovery - NARA\'s recovery strategy offailing-to\xc2\xad\npaper for quickly and effectively restoring its mission critical IT systems after a severe\nservice disruption or disaster is inadequate because the strategy (a) is not in sync with\nrequirements of the Contingency Plans prepared for the mission critical IT systems; (b) is\nnot in keeping with the President\'s initiative of an expanded electronic government and\nthe Government Paperwork Elimination Act (GPEA); and (c) will not enable NARA to\nsatisfy its customers\' needs in a timely manner, i.e., providing ready access to evidence\nthat documents the rights of American citizens, the ac:tions of Federal officials, and the\nnational experience. Testing of the contingency plans, to confirm the accuracy of the\nindividual recovery procedures and the overall effectiveness of the plan, was inadequate.\n\n4. Certification and Accreditation (C&A) Process - System Security Plans are\nincomplete, i.e., the plans do not contain all the information necessary for the\nCertification Authority and the Designated Approving Authority to make an informed,\nrisk-based decision about the system. The preparation of Plans of Action and Milestones\n(POA&Ms) requires improvement, to provide management with the necessary\ninformation for ensuring that system threats and vulnerabilities are accurately identified\nand properly mitigated or accepted.\n\n5. Disk Space Utilization - Valuable disk drive space that could be used to store\nbusiness-related data is taken up by inappropriate data, i.e., potentially inappropriate\nmedia files were stored on the servers, in violation ofthe provisions ofNARA 802 and,\npossibly, U.S. copyright laws.\n\n6. Unmanaged Devices - Unmanaged network devices, such as hubs and multifunction\ncopiers, are connected to the agency\'s computer network, resulting in the potential for\nsevere performance and security issues.\n\n\n\n                      National Archives and Records Administration\n\x0c                                                                         DIG Report No. 08-06\n\n\n                                                                              Attachment A\n                                                                                 Page 5 of5\n\n7. Network Printer Configuration - Network printers pose significant security\nvulnerabilities because they are not properly configured, i.e., the printers allow\nunauthenticated administrator changes (no passwords were used); accept telnet and file\ntransfer protocol (FTP) connections; and run unnecessary services such as ping and\nchargen.\n\n8. Audit Trails - The computer network Novell servers do not have the auditing function\nturned on. Failure to create, maintain, and protect audit records could allow unauthorized\nactivities to go undetected and prevent the reconstruction of events; result in the failure to\ndetect security violations and prevent further damage to the system; impede the\ninvestigation of security incidents; and hamper the ability to troubleshoot system\nproblems.\n\n9. Network User Accounts - Critical security controls for protecting the confidentiality,\nintegrity, and availability ofNARA\'s IT systems and information were bypassed,\nbecause NARA officials do not always follow NIST and agency guidance when\nestablishing new user accounts at the Presidential libraries. Some users had not\ncompleted security awareness training before they were granted access to the network. It\nis important for a new user to understand the basic purpose of the Information Security\nProgram and its implementation, before IT system access is granted. New accounts were\ncreated without the required submittal of a New User Request Form. As a result, there\nwas no documentation available to identify who requested the new account and who\napproved the request. A required Background Investigation, i.e., authentication of an\nindividual\'s identity, was not always conducted before network access was granted. An\naccurate determination of identity is needed to make sound access control decisions.\n\nThese risk areas, which led us to report IT Security as a material weakness last period,\nstill persist and have not been mitigated. Therefore they should be added to the current\nIT Security material weakness in your FY 2007 assurance statement.\n\n Should you have any questions please contact me (ext. 71532) or James Springs (ext.\n73018).\n\n\n[Signature]\n\nPAUL BRACHFELD\nInspector General\n\n\n\n\n                       National Archives and Records Administration\n\x0c                                                                                           OIG Report No. 08-06\n\n\n\n\n                    National Archives and Records Administration\n                                                                                            8601 Adelphi Road\n                                                                           College Park, Maryland 20740-6001\n\nDate: \t      March 6, 2008\n\nTo: \t        OIG\n\nFrom: \t      NPOL\n\nSubject: \t   Comments on OIG Draft Report 08-06,\n             Evaluation ofNARA\'s Management Control Program for FY 2007\n\n\n\n             Thank you for the opportunity to comment on this draft report. We also appreciate the time\n             spent by the auditor to work with us regarding concerns in the original version of this draft\n             report. We concur with the three recommendations in the draft report and will proceed with\n             an action plan to address them.\n\n\n\n\n             Susan M. Ashtianie\n             Director\n             Policy and Planning Staff\n\n\n\n\n                                     NARA \'s web site is http://www.archives.gov\n\n\n\n\n                    National Archives and Records Administration\n\x0cI\n                      National Archives and Records Administration\nI                                                                                         8601 Adelphi Road \n\n                                                                         College Park,.Maryland 20740-6001 \n\n\nI    Date:      March 6, 2008\n\n\nI    To:        OIG\n\n                NPOL\n     From:\n\nI    Subject:   Comments on OIG Draft Report 08-06, \n\n                Evaluation ofNARA\'s Management Control Program for FY 2007 \n\n\nI\n\nI               Thank you for the opportunity to comment on this draft report. We also appreciate the time\n                spent by the auditor to work with us regarding concerns in the original version of this draft\n                report. We concur with the three recommendations in the draft report and will proceed with\n\nI               an action plan to address them.\n\n\n\nI\nI               Susan M. Ashtianie\n                Director \n\n                Policy and Planning Staff \n\n\nI\n\nI\n\nI\n\nI\n\nI\n\nI\n\nI\n\nI\n\n                                                                                     ATTACHMENT B\nI\n\n\x0c'